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Abstract. We study the security of a specific authentication procedure 
of interest in the context of Quantum Key Distribution (QKD). It works 
as follows: use a secret but fixed Strongly Universal (SU2) hash function 
and encrypt the output tag with a one-time pad (OTP). If the OTP is 
completely secret, the expected time for an adversary to create a tag 
for a chosen message is exponential in the tag length. If, however, the 
OTP is partially known in each authentication round, as is the case in 
practical QKD protocols, then the picture is different; the adversary's 
partial knowledge of the OTP in each authentication round gives partial 
information on the secret hash function, and this weakens the authenti- 
cation in later rounds. The effect of this is that the lifetime of the system 
is linear in the length of the fixed key. This is supported by the compos- 
ability theorem for QKD, that in this setting provides an upper bound to 
the security loss on the secret hash function, which is exponential in the 
number of authentication rounds. This needs to be taken into account 
when using the protocol, since the authentication gets weakened at each 
subsequent round and thus the QKD generated is key is not as strong as 
when the authentication is strong. Some countermeasures are discussed 
at the end of this paper. 
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1 Introduction 

QKD is a provably secure key growing technique based on the laws of 
quantum physics. It was first introduced by Bennett and Brassard in 
1984 [1], and uses a so-called quantum channel that obeys the laws of 
quantum physics, together with a public communication channel. A QKD 
round consists of five steps: raw key generation on the quantum channel, 
followed by sifting, error detection and reconciliation, privacy amplifica- 
tion, and authentication on the public channel; see [2-7] for the details of 
these steps. Practical implementations of QKD need a low-noise quantum 
channel but also an immutable public communication channel. Without 



the latter, QKD can trivially be broken by a man-in-the-middle attack. 
Therefore, secure message authentication is indispensable for the security 
of QKD [8]. 

In the standard proposed QKD, authentication is achieved by using 
the Wegman-Carter approach [9, 10], based on the idea of Universal hash- 
ing. The security of the Wegman-Carter authentication in the context of 
QKD was studied in [11], noting some problems arising from usage of a 
partially known key, and detailing some countermeasures. 

1.1 Authentication with secret fixed hash function and OTP 

The main goal of this paper is to study the security of authentication with 
a fixed key in the context of QKD. Namely, we study the security of an 
authentication procedure that works as follows: The legitimate commu- 
nicating parties, Alice and Bob, share a secret but fixed hash function / 
taken at random from a SU2 hash function family and a short secret key 
to be used as OTP in advance. During the public discussion phase of each 
QKD round, Alice sends the classical message and tag pair m + t with 
t = f(m) © K, where K is an OTP, to Bob. Upon receiving the message- 
tag pair (m,t), Bob verifies whether the message m did originate from 
Alice by comparing f(m) © K to t: If they are identical, then he accepts 
m as authentic; otherwise, he rejects it. 

This authentication primitive was originally proposed by Wegman 
and Carter in [10] with the intent to reduce the key consumption rate 
of authentication. Low key consumption is essential in QKD, since the 
key consumption rate of the used authentication directly influences the 
key growing rate. Wegman-Carter authentication using an e-ASU2 hash 
function family has a key consumption rate which is logarithmic in the 
message length, while using encrypted tags would reduce this; the rate is 
linear in the tag length as the round count increases. 

Partial knowledge of the OTP key K leaks information on secret but 
fixed SU2 hash function /. In QKD, the privacy amplification step reduces 
the information leaked to Eve during each round, but not all the way to 
zero. Thus Eve may still have some partial knowledge of the OTP key 
used for authentication in the subsequent rounds. This information, e, 
on the OTP key K in each round leaks e information on the secret hash 
function /. Intuitively, the information on / leaked to Eve is linear in the 
number of authentication rounds. In what follows, we show that this is 
really the case, and in fact Eve will eventually have enough knowledge of 
the hash function / to enable her to create a tag for her forged message. 



Furthermore, the composability theorem for QKD gives an exponential 
upper bound for the security loss of the system. 

1.2 Our contributions 

In the case when the OTP key K is completely secret to Eve, it behaves 
as an evenly distributed random variable to her (which is the reason for 
the upper-case K notation). In this case, the best attack for Eve would be 
to guess the value of £e> the tag value for her message tbe- Since all tag 
values are equally possible, the probability of each guess succeeding is one 
divided by the size of all possible tags \T\. Furthermore, she can gain no 
knowledge about the secret hash function / from guessing, because K in 
the current round is independently distributed from previous rounds. The 
probability of a successful guess would in each round be l/\T\ = 2~ log l r l , 
which implies that the expected lifetime 

n= |T| =2 log l r l (1) 

is exponential in the tag length log |7~|. 

We are interested in seeing how this exponential lifetime behavior 
would change if Eve has some knowledge of K in each round. In the 
remainder of this paper we estimate how many rounds it takes for Eve to 
gain complete knowledge of the secret but fixed hash function / (taken 
at random from an SU2 family) , under the assumption that the practical 
implementation of QKD protocol generates e-perfect key in each run. We 
refer to [12] for the definitions of perfect and e-perfect keys, and of ideal 
and e-ideal protocols. Note that since the authentication primitive uses 
a fixed SU2 hash function, the sequence of the security parameters for 
the key stream generated from the QKD protocols cannot be made a 
geometric sequence by increasing the protocol complexity at each run, as 
discussed in [12]. By fixing Eve's partial knowledge of the OTP key in 
each authentication round, we derive an estimate for the lifetime of system 
which is linear in the length of the key identifying / and proportional to 
her partial knowledge of OTP. 

This is not in conflict with the composable security of QKD, which 
implies that the key generated by QKD can be used securely in classical 
cryptographic tasks such as authentication [12,13]. In this case, however, 
the authentication procedure itself degrades as the authentication round 
count increases. Below, we show that the composability theorem for QKD 
predicts that the security loss on the fixed secret hash function is expo- 
nentially upper bounded in the number of authenticaton rounds. 



It should be pointed out that the attack needs a large computational 
capacity of the attacker. Usually, no bounds are imposed on the com- 
putational capacity of an eavesdropper attacking a QKD system. This 
is because QKD is provably secure based on laws of nature, rather than 
computational complexity as is usually the case for key-sharing systems. 
This large computational need of the attack will unfortunately limit sim- 
ulations in this paper because of our bounded computational power. 

1.3 Organization of the paper 

The rest of the paper is organized as follows. In Section 2, we present an 
attack and estimate its effect on the system under simplifying assump- 
tions, and also present simulations on a SU2 hash function family, followed 
by a modification to the attack that establishes the desired lifetime. Sec- 
tion 3 contains the theoretical upper bound for the security loss predicted 
by the composability theorem for QKD. Finally, Section 4 concludes the 
paper. 

Notation. In what follows, M. is the set of messages, T is the set 
of tags, T-L is a family of hash functions / : M — > T with \H\ = H + 1, 
and Hi are integer- indexed subsets of %. Logarithms are in base 2. The 
random variables used are K, N, and Aj, while lower-case m denotes a 
message and t a tag, ttje and £e are Eve's message and attempt at a tag. 

2 Attack and lifetime estimate 

Eve would like to perform an attack which is better than simply guessing 
the tag. Ideally, it should be better in two ways: it should succeed with 
high probability, and should not be detected easily. Eve wants in essence 
a good covert attack. The below description delineates an attack which 
achieves both goals: the expected number of rounds until success will be 
much lower than for the guessing attack, and in addition, the attack is 
covert, meaning that Eve only listens to the communication between Alice 
and Bob for a number of rounds, and only launches an attack when she 
is sure that it will succeed. 

The attack is as follows: Eve's goal is to identify the used hash function 
/ among the H+l hash functions in %, i.e., to eliminate H functions from 
U. In each QKD round, Eve intercepts a valid (classical) message-tag pair 
m + t, where t = f(m) ©A, from, say, Alice to Bob. The random variable 
K (random to Eve) is not entirely evenly distributed because of Eve's 
partial knowledge. We will, in what follows, assume that her knowledge 



is such that she knows a few values of K that has probability 0. She uses 
this knowledge to identify possible candidates for f(m). This means that 
in each run, Eve can identify a subset Hi out of all the possible hash 
functions in % by eliminating the hash functions (in %) that do not hash 
m to the set of possible candidates for f(m). The set Hi will consist of 
the true match (the fixed secret hash function) and a number of false 
matches. 

The set Hi can in principle be of different size depending on the hash 
function family, which hash function is used, and the message, but here 
we are focusing on Strongly Universal hash function families and in this 
case, the inverse image of any tag has the same size, and each subset has 
the same size \H%\ = h. Therefore, Eve's information on K in terms of 
min-entropy translates directly into the quantity —\og(h/H). 



2.1 Bounds using simplifying assumptions 

After i runs the set of possible hash functions will decrease to C]j =1 Hj. 
In general, the remaining number of false matches in this intersection is 
a random variable 

x i = \n) =1 n j \-i. (2) 

We are interested in the expected time it takes until Eve has identified 
the (no longer secret) true hash function, that is, the expectation of the 
(random) index N that is the earliest that gives = (such that 
Xjv-i > 1). 

By assuming that that each round is independent of the former, 
and that each subset is exactly evenly distributed within the previous 
subset, we obtain = Xi-ih/H. This is only possible when the Xi 
are continuous variables; we will analyze the discrete (integer- valued) 
case below. With Xq = k we obtain X\ = kh/H, X2 = k(h/H) 2 , . . . , 
X\ = k(h/H) 1 . Now, our demand (Xn = 0) D (X/v-i > 1) translates into 
(Xn < 1) fl (Xn-i > 1), which in turn implies that iV|(Xo = k) is not 
random in this case, but is in fact equal to a number n k for which 

fc ( h)n fc < X < (3) 

which after some algebra simplifies to 

log k 

n k -l < — jr < n k , (4) 

-log £ 

that is, 

log A; 

n k = — K ■ (5) 



In particular, nn = [log H/ (— \og(h/H))~\ , which means that the lifetime 
of the system would be directly proportional to the key length 1 divided 
by the information on the OTP used in each step. This is what we would 
expect of a system in which there is a constant gain of information in 
each run. 

In the discrete case, the analysis is more complicated. We extend to a 
random draw of hash functions, but keep the assumption that each round 
is independent of the former. This means that the probability of drawing 
a hash function present in T^~}{H.j in run i only depends on which 
corresponds to a random draw of h elements without replacement from H, 
where there are two types of elements: those in r?~}{H.j pTj-i of them), 
and those outside the set. In other words, the number of hash functions 
in Cij =1 'Hj given is hypergeometrically distributed, so that, 

p jk := P(X % = j\X^ = k) = V ^ " (6) 

\h) 

The expected lifetime time when k false hash functions remain is 

n k = E(N\X = k). (7) 

Then, no = and 

k 

n k = Y, E(N\X! = j)P(X 1 = j\X = k) 

'7 , C) 

= (e(N\X = j) + l)P(X 1 = j\X = k) = 1 + ^Pjkrij. 
j=o j=o 

Solving for n k gives 

n k = zr 1 , 9 

1 -Pkk 

and since pj k , j = 0, 1, ■ ■ • , k, are given explicitly above, the n k can be 
calculated from this equation, although the expressions are complicated. 

The goal is to prove a logarithmic bound on n k in terms of k as in (5) 
in general. Splitting the sum of (8) at the point s (just before the index 
|Y|) gives 

n k = 1 + n^PpQ < 8\Xi-! = k) + n k P(Xi > s\X^i = k). (10) 



1 Here, the length of the key identifying the secret hash function is actually log(i/ + l). 



And now solving for gives 



nk -l-P(X l >s\X^ = k) +n ^- 



(11) 



If the probability in the denominator does not grow to fast when s de- 
creases from k— 1, we can use a value s sufficiently far from k to establish 
logarithmic growth of in k. The one-sided Chebyshev inequality implies 
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(a - EiXilXi-! = k)f + V(X i \X i - 1 = k) 



(12) 



so that 
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(s - E(X i \X i - 1 = k)Y + V(X i \X i - 1 = k) 
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= 1 + 

(8-E(X i \X i - 1 = fc)) 
This implies that 



(13) 



n fc < 1 + — ^ - 



(14) 



Note that even if \s] and coincide, the indices above do not. Now let 
us prove using induction that 



< a + b log k 

with the appropriate a and b. A simple starting point is ri\: 

1 

a = n\ 



1 - 



(15) 



(16) 



Now, we assume (15) holds for k less than p > 2 which implies 



n 



[ s ]-i < a + 61og([s] - 1) < a + 61ogs = b log - + aO + b\ogk, (17) 



so that 



n p < 1 + 



1 + — ^ — -4 



Choosing 



1 + ^ " 



2 + 6 log - + a + blogk. 



(18) 
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log - > 



gives the desired 

n p < a + 61ogp. 
By induction we obtain that the lifetime n k is bounded by 

/ 



n k < 



1 



1 - 
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H 



1 + — 



V 



log fc 

- 10 §I 



(19) 



(20) 



(21) 



If s is chosen proportional to k, the first term in the parenthesis will 
dominate at large values of k, and the proportionality constant appears 
in logs/A;. Choosing s = k^h/H, then with similar calculations as above 
we obtain 

,„ < _ r „ | | ._^L_- | (22) 



1 



A 



ifc(l 



where the coefficient in front of the logarithm decreases to 1 when k in- 
creases. The bound for n# is logarithmic in H and slightly larger than the 
one in (5), which is natural taking the broadening of the distribution into 
account. This is similar as in the previous more simplified situation; the 
lifetime of the system is linear in the key length rather than exponential 
in the tag length. We now need to check the remaining assumption that 
each round is independent of the former: does the random draw in each 
round follow a hypergeometric distribution? 



2.2 Simulations for an SU2 Family 

We want to simulate an authentication system with a secret fixed hash 
function from a SU2 hash function family, where the tag is OTP encrypted 
with a partially known key. Here, we restrict ourselves to a specific hash 
function family from [9] as follows. Let M. and T be finite sets of messages 
and tags, respectively. Let p be smallest prime number greater than \M\. 



For each integer < q < p and < r < p, define a hash function 
/ ( , ir) : M -»• T by 

f(q,r)( m ) = (( m q + r ) mod p) mod |T|. (23) 

Then, ~Hi = {ftq : r) '■ Q € Z p \ {0} and r £ Z p } is an SU2 hash function 
family. This family was introduced as in [9] (the index is not used 

in the same way as in this paper), and is not quite SU2, in Wegman and 
Carter's own words: it is "close". 

The parameters chosen for our simulations will admittedly be very re- 
strictive and somewhat unrealistic when compared to a full-blown QKD 
system. The reason for this is our bounded computational capabilities; as 
already mentioned, no bound is usually imposed on an attacker in QKD, 
but this does unfortunately not apply to authors of scientific papers. The 
largest hash function family we will use will be of size 2 28 , and our attack 
uses the equivalent of round-by-round exhaustive search, by keeping track 
of eliminated keys at each round, and this gives a high computational de- 
mand. The hash function family size will not be kept fixed in the different 
simulations. We use a set T of tags with size 2 , and message sets A4 with 
a varying size from 2 9 through 2 13 . For each pair of Ai and T, there is a 
corresponding hash function family T-L. We set Eve's partial information 
on the OTP key K to 10%, again an unrealistically high number, but 
this is chosen to show the results qualitatively while still bounding the 
lifetime of the system, see below. 

The simulations are done as follows: a hash function / is taken at 
random from the appropriate SU2 family. In each round, a message mi is 
randomly drawn, and the tag t{ is calculated using /. This tag is entered 
into the set %, and more tags are randomly chosen from T to make 
\7i\ = h\T\/\H\, which corresponds to a situation where Eve can use the 
OTP-encrypted tag U® K together with her partial knowledge of K to 
identify the set %. She then uses this set to identify the set of possible 
hash functions Hi, and she forms the intersection C\ l j =1 %j. When the 
intersection has been reduced to just one hash function, Eve has identified 
/, and this is repeated many times to estimate the lifetime of the system, 
the results can bee seen in Fig. 1. 

As we can see, the lifetime is not as was estimated in (22). It now 
increases exponentially as the key length increases, contrary to our ear- 
lier linear estimate. The reason for this is that the rounds are not in- 
dependent, at least not for this hash function family. This is especially 
pronounced when there are few hash functions left: most of the increase 
occurs when waiting for the last few false matches to disappear. Recall 



1100 
1000 

900 

800 

700 

o 

| 600 
500 
400 
300 
200 
100 

17 18 19 20 21 22 23 24 25 26 27 
Key length 

Fig. 1: The number of rounds until the secret hash function / is found 
when it is taken at random from the family %\. 

that the hash functions are eliminated by using the inverse image, for one 
message in each round from a set of "possible" tags, to a set of "possible" 
hash functions. And hash functions that have not been eliminated already 
have a lower probability to be eliminated than they would in the case of 
independent rounds. 

However, Eve's goal is not really finding the secret hash function /. 
Eve's objective is to be able to generate the correct tag for her (forged) 
message, to breach security of the authentication. So far, our focus has 
been on finding the secret hash function /. We note that even if the 
remaining set rfj =1 T-Lj contains more than one hash function, Eve can 
generate the correct (unencrypted) tag for her message if all the remain- 
ing hash functions map her message to the same value (say, £e)- Eve can 
check for this event, by comparing tags for her message for the different 
remaining hash functions. When there are few hash functions remain- 
ing, and they have a low probability to be eliminated, the probability is 
high that a random message is mapped to the same tag by all remaining 
hash functions. This means that the probability for Eve's message to be 
mapped to the same tag is high. 

Eve also needs to identify the OTP to encrypt her tag. She can do that 
when the remaining hash functions in f]j =1 T-Lj also map Alice's message 
to the same value t (possibly different from £e). Using the value of t, Eve 
can identify the OTP key K used, and use that to encrypt her tag. At this 
point the system is broken. Changing the simulation so that Eve checks 
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Fig. 2: The number of rounds until / is found under the uniform and 
hypergeometric assumptions, and the number of rounds until Eve gains 
enough information to generate the valid tag for her forged message. 



for this event, gives a linear lifetime in the key length, as can be seen from 
Fig. 2. The simulated lifetime is slightly shorter than the estimated value, 
but Eve is solving a simpler task by not trying to identify the correct hash 
function / but instead a subset that has the desired properties. 

3 Upper bound to security loss 

This is not in conflict with composable security of QKD [12,13]. Moreover, 
the composability can be used to provide an upper bound to the security 
loss on the fixed secret hash function. The composability theorem for 
QKD states that if an ex-ideal QKD protocol is composed with an e<i- 
ideal cryptographic application, e.g., £2-ideal authentication, the whole 
system is e\ + £2-ideal. So, if an ei-ideal QKD is composed with an e^- 
ideal authentication, then the whole system becomes e\ + £2-ideal and 
generates an e\ + £2-perfect key. It was argued in [12] that the security 
parameter for the key stream generated from the repeated use of QKD can 
be made arbitrarily small by increasing the communication complexity 
of the protocol; that is, by making the sequence of security parameters 
for QKD-generated keys a geometric sequence. This unfortunately is not 
possible with the authentication under consideration here. The present 
authentication procedure uses a fixed secret SU2 hash function, and this 
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fixes the length of the message that can be authenticated. Thus, it is 
reasonable to assume that the practical implementation of the QKD is 
£i-ideal at a constant £\ in each round. 
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Fig. 3: Composability diagram of QKD with authentication with fixed key 
followed by an OTP. 



Now, let us look at the sequence of security loss on the secret but fixed 
hash function / with help of the composability theorem (see Fig. 3). 

— In the first round, the composed system of £i-ideal QKD and £2- 
ideal authentication produces an E\ + £2-perfect key. A portion of this 
£1 + 62-perfect QKD-generated key will be used as the OTP key for 
the £2-ideal authentication in the second round. 

— In the second round, the composed system of ei-ideal QKD and £2- 
ideal authentication using an £i+£2-perfect key produces an 2(ei+£2)- 
perfect key. A portion of this 2{e\ + ^-perfect key will be used as the 
OTP key for the authentication in the third round. Furthermore, the 
E\ + £2 information on the OTP key leaks e± + £2 information on the 
fixed hash function, which makes the authentication £1 + 2£2-ideal. 

— In the third round, the composed system of ei-ideal QKD and £i+2£2- 
ideal authentication using an 2(e\ +£2)-perfect key produces an 4(ei + 
£2)-perfect key. A portion of this 4(£i + £2)-perfect key will be used as 
the OTP key for the authentication in the fourth round. Furthermore, 
the 2(£i+£2) information on the OTP key leaks 2(£i+£2) information 



on the fixed hash function, which makes the authentication 3ei + 4^2- 
ideal. 

— In the fourth and following rounds, the process continues, doubling 
the coefficient for each round. 

The important property of this authentication scheme is that the infor- 
mation gained on the fixed hash function / at the current round carries 
through to the next round. In other words, the information leakage on 
/ at each round can be combined. Therefore, after the n-th round, the 
information leaked to Eve on the secret but fixed hash function is (2™" 1 — 
l)ei + 2™~ 1 £2 so that the authentication becomes (2 n_1 — l)ei + 2 n ~ 1 e2- 
ideal. The attack in Section 2 only assumes that the QKD generated key 
in each round is equally strong; in other words, Eve's knowledge of the 
QKD generated key in each round is the same. 

4 Conclusions 

In this paper, the security of a specific authentication primitive is studied, 
a primitive that uses a fixed secret hash function followed by a one-time- 
pad encryption on the tag. This is of interest in QKD because of its low 
consumption of secret key. We found that, by fixing Eve's partial knowl- 
edge of the OTP key in each QKD round, the lifetime of the system is 
linear in the length of the fixed key. Moreover, using the composabil- 
ity theorem, we found that the leakage of information on the secret but 
fixed key is exponentially upper bounded in the number of authentication 
rounds. A suitable countermeasure would be to change the fixed secret 
key regularly, at an interval that ensures that Eve's collected information 
on the fixed key does not become too large. This would make the key 
consumption rate again logarithmic in the message length, but at a rate 
much lower than the standard Wegman-Carter authentication that uses 
a new e-ASU2 hash function in each round. 
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